Package

play.api.libs.ws

ssl

Permalink

package ssl

Source
package.scala
Linear Supertypes
AnyRef, Any
Ordering
  1. Alphabetic
  2. By inheritance
Inherited
  1. ssl
  2. AnyRef
  3. Any
  1. Hide All
  2. Show all
Visibility
  1. Public
  2. All

Type Members

  1. class AlgorithmChecker extends PKIXCertPathChecker

    Permalink

    Looks for disabled algorithms in the certificate.

    Looks for disabled algorithms in the certificate. This is because some certificates are signed with forgable hashes such as MD2 or MD5, so we can't be certain of their authenticity.

    This class is needed because the JDK 1.6 Algorithm checker doesn't give us any way to customize the list of disabled algorithms, and we need to be able to support that.

    Also note that we need to check the trust anchor for disabled key sizes, and the CertPath explicitly removes the trust anchor from the chain of certificates. This means we need to check the trust anchor explicitly in the through the CompositeTrustManager.

  2. case class AlgorithmConstraint(algorithm: String, constraint: Option[ExpressionSymbol] = None) extends Product with Serializable

    Permalink
  3. class CompositeCertificateException extends CertificateException

    Permalink

    A certificate exception that contains underlying exceptions.

  4. class CompositeX509KeyManager extends X509ExtendedKeyManager

    Permalink

    A keymanager that wraps other X509 key managers.

  5. class CompositeX509TrustManager extends X509TrustManager

    Permalink

    A trust manager that is a composite of several smaller trust managers.

    A trust manager that is a composite of several smaller trust managers. It is responsible for verifying the credentials received from a peer.

  6. class ConfigSSLContextBuilder extends SSLContextBuilder

    Permalink

    Creates an SSL context builder from info objects.

  7. class DefaultKeyManagerFactoryWrapper extends KeyManagerFactoryWrapper

    Permalink
  8. class DefaultTrustManagerFactoryWrapper extends TrustManagerFactoryWrapper

    Permalink
  9. case class Equal(x: Int) extends ExpressionSymbol with Product with Serializable

    Permalink
  10. sealed abstract class ExpressionSymbol extends AnyRef

    Permalink
  11. class FileBasedKeyStoreBuilder extends KeyStoreBuilder

    Permalink

    Builds a keystore from a file containing PEM encoded certificates, using CertificateFactory internally.

    Builds a keystore from a file containing PEM encoded certificates, using CertificateFactory internally.

    See also

    java.security.cert.CertificateFactory

  12. class JavaSecurityDebugBuilder extends AnyRef

    Permalink

    See also

    http://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath/CertPathProgGuide.html

  13. class JavaxNetDebugBuilder extends AnyRef

    Permalink

    A builder for setting the system property options in "javax.net.debug" and in "java.security.debug' (in the case of "certpath").

    A builder for setting the system property options in "javax.net.debug" and in "java.security.debug' (in the case of "certpath").

    See also

    http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ReadDebug.html

    http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#Debug

  14. case class KeyManagerConfig(algorithm: String = ..., keyStoreConfigs: Seq[KeyStoreConfig] = Nil) extends Product with Serializable

    Permalink

    The key manager config.

    The key manager config.

    algorithm

    The algoritm to use.

    keyStoreConfigs

    The key stores to use.

  15. trait KeyManagerFactoryWrapper extends AnyRef

    Permalink
  16. trait KeyStoreBuilder extends AnyRef

    Permalink
  17. case class KeyStoreConfig(storeType: String = KeyStore.getDefaultType, filePath: Option[String] = None, data: Option[String] = None, password: Option[String] = None) extends Product with Serializable

    Permalink

    Configuration for a keystore.

    Configuration for a keystore.

    A key store must either provide a file path, or a data String.

    storeType

    The store type. Defaults to the platform default store type (ie, JKS).

    filePath

    The path of the key store file.

    data

    The data to load the key store file from.

    password

    The password to use to load the key store file, if the file is password protected.

  18. case class LessThan(x: Int) extends ExpressionSymbol with Product with Serializable

    Permalink
  19. case class LessThanOrEqual(x: Int) extends ExpressionSymbol with Product with Serializable

    Permalink
  20. trait MonkeyPatcher extends AnyRef

    Permalink

  21. case class MoreThan(x: Int) extends ExpressionSymbol with Product with Serializable

    Permalink
  22. case class MoreThanOrEqual(x: Int) extends ExpressionSymbol with Product with Serializable

    Permalink
  23. case class NotEqual(x: Int) extends ExpressionSymbol with Product with Serializable

    Permalink
  24. case class SSLConfig(default: Boolean = false, protocol: String = "TLSv1.2", checkRevocation: Option[Boolean] = None, revocationLists: Option[Seq[URL]] = None, enabledCipherSuites: Option[Seq[String]] = None, enabledProtocols: Option[Seq[String]] = ..., disabledSignatureAlgorithms: Seq[String] = Seq("MD2", "MD4", "MD5"), disabledKeyAlgorithms: Seq[String] = ..., keyManagerConfig: KeyManagerConfig = KeyManagerConfig(), trustManagerConfig: TrustManagerConfig = TrustManagerConfig(), secureRandom: Option[SecureRandom] = None, debug: SSLDebugConfig = SSLDebugConfig(), loose: SSLLooseConfig = SSLLooseConfig()) extends Product with Serializable

    Permalink

    The SSL configuration.

    The SSL configuration.

    default

    Whether we should use the default JVM SSL configuration or not.

    protocol

    The SSL protocol to use. Defaults to TLSv1.2.

    checkRevocation

    Whether revocation lists should be checked, if None, defaults to platform default setting.

    revocationLists

    The revocation lists to check.

    enabledCipherSuites

    If defined, override the platform default cipher suites.

    enabledProtocols

    If defined, override the platform default protocols.

    disabledSignatureAlgorithms

    The disabled signature algorithms.

    disabledKeyAlgorithms

    The disabled key algorithms.

    keyManagerConfig

    The key manager configuration.

    trustManagerConfig

    The trust manager configuration.

    secureRandom

    The SecureRandom instance to use. Let the platform choose if None.

    debug

    The debug config.

    loose

    Loose configuratino parameters

  25. class SSLConfigParser extends AnyRef

    Permalink
  26. trait SSLContextBuilder extends AnyRef

    Permalink
  27. case class SSLDebugConfig(all: Boolean = false, ssl: Boolean = false, certpath: Boolean = false, ocsp: Boolean = false, record: Option[SSLDebugRecordOptions] = None, handshake: Option[SSLDebugHandshakeOptions] = None, keygen: Boolean = false, session: Boolean = false, defaultctx: Boolean = false, sslctx: Boolean = false, sessioncache: Boolean = false, keymanager: Boolean = false, trustmanager: Boolean = false, pluggability: Boolean = false) extends Product with Serializable

    Permalink

    SSL debug configuration.

  28. case class SSLDebugHandshakeOptions(data: Boolean = false, verbose: Boolean = false) extends Product with Serializable

    Permalink

    SSL handshake debugging options.

  29. case class SSLDebugRecordOptions(plaintext: Boolean = false, packet: Boolean = false) extends Product with Serializable

    Permalink

    SSL record debugging options.

  30. case class SSLLooseConfig(allowWeakCiphers: Boolean = false, allowWeakProtocols: Boolean = false, allowLegacyHelloMessages: Option[Boolean] = None, allowUnsafeRenegotiation: Option[Boolean] = None, acceptAnyCertificate: Boolean = false) extends Product with Serializable

    Permalink

    Configuration for specifying loose (potentially dangerous) ssl config.

    Configuration for specifying loose (potentially dangerous) ssl config.

    allowWeakCiphers

    Whether weak ciphers should be allowed or not.

    allowWeakProtocols

    Whether weak protocols should be allowed or not.

    allowLegacyHelloMessages

    Whether legacy hello messages should be allowed or not. If None, uses the platform default.

    allowUnsafeRenegotiation

    Whether unsafe renegotiation should be allowed or not. If None, uses the platform default.

    acceptAnyCertificate

    Whether any X.509 certificate should be accepted or not.

  31. class SimpleSSLContextBuilder extends SSLContextBuilder

    Permalink

    A simple SSL context builder.

    A simple SSL context builder. If the keyManagers or trustManagers are empty, then null is used in the init method. Likewise, if secureRandom is None then null is used.

  32. class StringBasedKeyStoreBuilder extends KeyStoreBuilder

    Permalink

    Builds a keystore from a string containing PEM encoded certificates, using CertificateFactory internally.

    Builds a keystore from a string containing PEM encoded certificates, using CertificateFactory internally.

    See also

    java.security.cert.CertificateFactory

  33. class SystemConfiguration extends AnyRef

    Permalink

    Configures global system properties on the JSSE implementation, if defined.

    Configures global system properties on the JSSE implementation, if defined.

    WARNING: This class sets system properties to configure JSSE code which typically uses static initialization on load. Because of this, if classes are loaded in BEFORE this code has a chance to operate, you may find that this code works inconsistently. The solution is to set the system properties on the command line explicitly (or in the case of "ocsp.enable", in the security property file).

  34. case class TrustManagerConfig(algorithm: String = ..., trustStoreConfigs: Seq[TrustStoreConfig] = Nil) extends Product with Serializable

    Permalink

    The trust manager config.

    The trust manager config.

    algorithm

    The algorithm to use.

    trustStoreConfigs

    The trust stores to use.

  35. trait TrustManagerFactoryWrapper extends AnyRef

    Permalink
  36. case class TrustStoreConfig(storeType: String = KeyStore.getDefaultType, filePath: Option[String], data: Option[String]) extends Product with Serializable

    Permalink

    Configuration for a trust store.

    Configuration for a trust store.

    A trust store must either provide a file path, or a data String.

    storeType

    The store type. Defaults to the platform default store type (ie, JKS).

    filePath

    The path of the key store file.

    data

    The data to load the key store file from.

Value Members

  1. object AlgorithmConstraintsParser extends RegexParsers

    Permalink

    Parser based on the jdk.certpath.disabledAlgorithm BNF.

    Parser based on the jdk.certpath.disabledAlgorithm BNF.

    See also

    http://sim.ivi.co/2011/07/java-se-7-release-security-enhancements.html

  2. object Algorithms

    Permalink

    This singleton object provides the code needed to check for minimum standards of an X.509 certificate.

    This singleton object provides the code needed to check for minimum standards of an X.509 certificate. Over 95% of trusted leaf certificates and 95% of trusted signing certificates use NIST recommended key sizes. Play supports Java 1.6, which does not have built in certificate strength checking, so we roll our own here.

    The default settings here are based off NIST SP 800-57, using Dates for Phasing out MD5-based signatures and 1024-bit moduli as a practical guide.

    Note that the key sizes are checked on root CA certificates in the trust store. As the Mozilla document says:

    The other concern that needs to be addressed is that of RSA1024 being too small a modulus to be robust against faster computers. Unlike a signature algorithm, where only intermediate and end-entity certificates are impacted, fast math means we have to disable or remove all instances of 1024-bit moduli, including the root certificates.

    Relevant key sizes:

    According to NIST SP 800-57 the recommended algorithms and minimum key sizes are as follows: Through 2010 (minimum of 80 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=1024; N=160 IFC (e.g., RSA) Minimum: k=1024 ECC (e.g. ECDSA) Minimum: f=160 Through 2030 (minimum of 112 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=2048; N=224 IFC (e.g., RSA) Minimum: k=2048 ECC (e.g. ECDSA) Minimum: f=224 Beyond 2030 (minimum of 128 bits of strength) FFC (e.g., DSA, D-H) Minimum: L=3072; N=256 IFC (e.g., RSA) Minimum: k=3072 ECC (e.g. ECDSA) Minimum: f=256

    Relevant signature algorithms:

    The known weak signature algorithms are "MD2, MD4, MD5".

    SHA-1 is considered too weak for new certificates, but is still allowed for verifying old certificates in the chain. The TLS and NIST'S Policy on Hash Functions blog post by one of the JSSE authors has more details, in particular the "Put it into practice" section.

  3. object Ciphers

    Permalink

    This class contains sets of recommended and deprecated TLS cipher suites.

    This class contains sets of recommended and deprecated TLS cipher suites.

    The JSSE list of cipher suites is different from the RFC defined list, with some cipher suites prefixed with "SSL_" instead of "TLS_". A full list is available from the SunJSSE provider list

    Please see https://www.playframework.com/documentation/latest/CipherSuites for more details.

  4. object CompositeCertificateException extends Serializable

    Permalink
  5. object KeystoreFormats

    Permalink
  6. object Protocols

    Permalink
  7. object SSLConfigFactory

    Permalink

    Factory for creating SSL config (for use from Java).

  8. implicit def arrayCertsToListCerts(chain: Array[Certificate]): List[Certificate]

    Permalink
  9. implicit def certResult2PKIXResult(result: CertPathValidatorResult): PKIXCertPathValidatorResult

    Permalink
  10. implicit def certificate2X509Certificate(cert: Certificate): X509Certificate

    Permalink
  11. package debug

    Permalink
  12. def debugChain(chain: Array[X509Certificate]): Seq[String]

    Permalink
  13. def foldRuntime[T](older: ⇒ T, newer: ⇒ T): T

    Permalink
  14. def foldVersion[T](run16: ⇒ T, runHigher: ⇒ T): T

    Permalink
  15. def isOpenJdk: Boolean

    Permalink

Inherited from AnyRef

Inherited from Any

Ungrouped